def get_jwks_keys(self): keys = KEYS() keys.load_from_url(self.jwks_uri()) # Add client secret as oct key so it can be used for HMAC signatures client_id, client_secret = self.get_key_and_secret() keys.add({'key': client_secret, 'kty': 'oct'}) return keys
def _get_jwks_keys(shared_key): """ Returns JWKS keys used to decrypt id_token values. """ # The OpenID Connect Provider (OP) uses RSA keys to sign/enrypt ID tokens and generate public # keys allowing to decrypt them. These public keys are exposed through the 'jwks_uri' and should # be used to decrypt the JWS - JSON Web Signature. jwks_keys = KEYS() jwks_keys.load_from_url(oidc_rp_settings.PROVIDER_JWKS_ENDPOINT) # Adds the shared key (which can correspond to the client_secret) as an oct key so it can be # used for HMAC signatures. jwks_keys.add({'key': smart_bytes(shared_key), 'kty': 'oct'}) return jwks_keys
def setUp(self): self.user = User.objects.create(username='******') mock_get = self.patch('requests.get') mock_get.return_value.json.return_value = {"jwks_uri": "http://example.com/jwks", "issuer": "http://example.com"} keys = KEYS() keys.add({'key': key, 'kty': 'RSA'}) self.patch('jwkest.jwk.request', return_value=Mock(status_code=200, text=keys.dump_jwks())) api_settings.OIDC_ENDPOINT = 'http://example.com' api_settings.OIDC_AUDIENCE = 'you'
def setUp(self): self.user = User.objects.create(username='******') self.responder = FakeRequests() self.responder.set_response("http://example.com/.well-known/openid-configuration", {"jwks_uri": "http://example.com/jwks", "issuer": "http://example.com", "userinfo_endpoint": "http://example.com/userinfo"}) self.mock_get = self.patch('requests.get') self.mock_get.side_effect = self.responder.get keys = KEYS() keys.add({'key': key, 'kty': 'RSA', 'kid': key.kid}) self.patch('oidc_auth.authentication.request', return_value=Mock(status_code=200, text=keys.dump_jwks()))
def setUp(self): self.user = User.objects.create(username='******') self.responder = FakeRequests() self.responder.set_response("http://example.com/.well-known/openid-configuration", {"jwks_uri": "http://example.com/jwks", "issuer": "http://example.com", "userinfo_endpoint": "http://example.com/userinfo"}) self.mock_get = self.patch('requests.get') self.mock_get.side_effect = self.responder.get keys = KEYS() keys.add({'key': key, 'kty': 'RSA', 'kid': key.kid}) self.patch('jwkest.jwk.request', return_value=Mock(status_code=200, text=keys.dump_jwks()))
def get_jwks_keys(self): """ Returns the keys used to decode the ID token. Note: edX uses symmetric keys, so bypass the parent class's calls to an external server and return the key from settings. """ keys = KEYS() keys.add({ 'key': self.setting('ID_TOKEN_DECRYPTION_KEY'), 'kty': 'oct' }) return keys
def get_jwks_keys(self): """ Returns the keys used by the IdP. Merges client secret into JWK set from server Response is cached for 24 hours. """ keys = KEYS() keys.load_from_url(self.JWKS_URI) # Add client secret as oct key so it can be used for HMAC signatures _client_id, client_secret = self.get_key_and_secret() keys.add({'key': client_secret, 'kty': 'oct'}) return keys
def encode(self, payload): """Encode the provided payload.""" keys = KEYS() if self.asymmetric: keys.add(RSAKey(key=RSA.importKey(settings.JWT_PRIVATE_SIGNING_KEY))) algorithm = 'RS512' else: key = self.secret if self.secret else self.jwt_auth['JWT_SECRET_KEY'] keys.add({'key': key, 'kty': 'oct'}) algorithm = self.jwt_auth['JWT_ALGORITHM'] data = json.dumps(payload) jws = JWS(data, alg=algorithm) return jws.sign_compact(keys=keys)
def _get_signing_jwk_key_set(jwt_issuer): """ Returns a JWK Keyset containing all active keys that are configured for verifying signatures. """ key_set = KEYS() # asymmetric keys signing_jwk_set = settings.JWT_AUTH.get('JWT_PUBLIC_SIGNING_JWK_SET') if signing_jwk_set: key_set.load_jwks(signing_jwk_set) # symmetric key key_set.add({'key': jwt_issuer['SECRET_KEY'], 'kty': 'oct'}) return key_set
def _get_jwks_keys(shared_key): """ Returns JWKS keys used to decrypt id_token values. """ # The OpenID Connect Provider (OP) uses RSA keys to sign/enrypt ID tokens and generate public # keys allowing to decrypt them. These public keys are exposed through the 'jwks_uri' and should # be used to decrypt the JWS - JSON Web Signature. log_prompt = "Get jwks keys: {}" logger.debug(log_prompt.format('Start')) jwks_keys = KEYS() logger.debug(log_prompt.format('Load from provider jwks endpoint')) jwks_keys.load_from_url(settings.AUTH_OPENID_PROVIDER_JWKS_ENDPOINT) # Adds the shared key (which can correspond to the client_secret) as an oct key so it can be # used for HMAC signatures. logger.debug(log_prompt.format('Add key')) jwks_keys.add({'key': smart_bytes(shared_key), 'kty': 'oct'}) logger.debug(log_prompt.format('End')) return jwks_keys
def encode(self, payload): """Encode the provided payload.""" keys = KEYS() if self.asymmetric: keys.add( RSAKey(key=RSA.importKey(settings.JWT_PRIVATE_SIGNING_KEY))) algorithm = 'RS512' else: key = self.secret if self.secret else self.jwt_auth[ 'JWT_SECRET_KEY'] keys.add({'key': key, 'kty': 'oct'}) algorithm = self.jwt_auth['JWT_ALGORITHM'] data = json.dumps(payload) jws = JWS(data, alg=algorithm) return jws.sign_compact(keys=keys)
def _decode_jwt(verify_expiration): """ Helper method to decode a JWT with the ability to verify the expiration of said token """ keys = KEYS() if should_be_asymmetric_key: keys.load_jwks(settings.JWT_AUTH['JWT_PUBLIC_SIGNING_JWK_SET']) else: keys.add({'key': secret_key, 'kty': 'oct'}) _ = JWS().verify_compact(access_token.encode('utf-8'), keys) return jwt.decode( access_token, secret_key, algorithms=[settings.JWT_AUTH['JWT_ALGORITHM']], audience=audience, issuer=issuer, verify_expiration=verify_expiration, options={'verify_signature': False}, )
def jwks(_request, _uri, headers): # noqa: E306 ks = KEYS() ks.add(self.key.serialize()) return 200, headers, ks.dump_jwks()
def jwks(_request, _uri, headers): ks = KEYS() ks.add(self.key.serialize()) return 200, headers, ks.dump_jwks()